Conventionally, systems that cause a user to enter a password in order to decide the acceptance or the rejection of a utilization of the resource provided by a resource server are in practical use. In this case, the resource to be provided is in various forms, such as exchanging of various files, storing thereof, viewing of mails, news, still images, motion images, and listening of music, and utilization of various applications.
In this case, the resource server stores a password itself or a random letter string obtained by applying a one-way hash function to such a password for the purpose of a decision to accept or reject the resource utilization. Note that a scheme of adding a letter string called a salt and defined for each user to the password, and then applying a hash function is also adopted. When the one-way hash function is applied, the consistency of the password is checked for an authentication by not comparing the password letter string itself but comparing the hash value of the entered password by the user with the stored hash value in the resource server.
In general, since resource servers are operated by various service providers, the configuration of the resource server and the setting thereof may differ, and there is a difference in security level based on such a difference. Hence, a certain server may be attacked, security information may be revealed from a company member, or the information may be revealed by a user's carelessness, and the password may be revealed.
In this case, when the common password is applied for the multiple resource servers, if the password for one of the resource servers is revealed, an authorized access to the other resource servers is enabled. Hence, the password that is different for each resource server is desirable.
In addition, a Brute-force attack which enters passwords in sequence that are letter strings, or the like, described in a dictionary, and which attempt to log in the resource server is known. Therefore, a password formed of a letter string created at random is desirable. However, such a letter string is not easy for a human person to memorize.
In this case, the following literatures disclose technologies of managing a large number of passwords which are different for each resource server, and which are not easy to memorize.